This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 57.00000000000001%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Hello,
We are using Intune and Defender for Endpoint in our environment. MDE and Intune were already enabled but not configured, so when people connected to their users from their personal computers it also registered them in MDE. We were left with a lot of unnecessary computers and distracting incidents.
Our environment includes virtual machines for testing, computers belonging to our domain, and personal computers belonging to users. Perosnal computers have workgroup as their domain, and they don't appear in Intune or AAD.
Our ideal environment includes only Windows and Linux computers that belong to our domain (Intune).
Right now, I concluded the following:
What is the best way to offboard all personal computers from the workgroup domain without affecting the computers that belong to our domain or our virtual machines? How can we modify the scripts to make them more effective? We are running Microsoft Defender for Endpoint on Windows 10 computers mostly. I'll be happy to provide any other relevant system information.
Thank you!
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Hello Melissa
Remove-MpPreference -RemoveAllSettings -Force
Hi @Gleb Greenspan , thank you so much for reaching out!
It seems like a good way to prevent any more computers that are Domain joined from enrolling in MDE for the time being. I checked for the security policy and found "Microsoft Defender Antivirus".
It was unclear to me what values should be in the policy or if it was only meant to be a "dummy" policy. Still, your answer gave me some understanding of how to control the MDE enrollment.
I also found another policy type, shown in the picture below.
It offers to offboard using an offboarding blob. I am still unsure of its effects but wish to mention it here.
Regarding the offboarding - our problem is that we don't have any third-party software to access all those personal computers and use local scripts to run them. They are personal devices of people who we can't identify or locate. We are left with the device ID/name as the only valuable information in most cases.
Thank you for answering,
Melissa.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Melissa Ray, Thanks for posting in Q&A. From your description, it seems you want to offboard the windows which is not AD and not managed by Intune. For such device, based on my researching, it can be offboard by local script which is mentioned in the following link:
As Microsoft defender for endpoint support is not in Q&A. If you want to get more help, you can contact them by open case with the method in the following link to get help.
Thanks for your understanding.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Crystal-MSFT Thank you for your input!
Sadly I cannot run local scripts on the private computers. Some are labeled as 'unknown' under Managed by and don't appear under Intune or Azure AD.
Moreover, I have no way of contacting the owners of those devices \ they do not belong to the organization anymore.
Are you aware of any commands one can run from MDE to offboard a computer? I saw one reply on another forum using API to offboard but it yielded no results to me.
I have opened a support ticket in the M365 security center, thank you for your suggestion!
@Melissa Ray, Thanks for the reply. I notice the local script is unable to run and the device is not belonging to your organization any more. For such scenario, I didn't find other method after researching. I notice the case is opened. You can contact the support to see if they can help to delete these devices in the background.
@Crystal-MSFT Thank you. I have contacted the support, and the conclusion is if the device is out of the organization, and there is no connectivity, there is no possible way to force offboard it.
I will attach some information I that might be useful for other people who tackle the same problem. Thank you for trying to help me out!
@Melissa Ray, Thanks for your information. It can help others who have the same issue. Thanks!
After checking the suggestions and consoling with the support team, I've come to conclude there is currently no available solution to force offboard devices that are out of the organization and have no way to connect to them. If there are no third-party solutions to centralized and distribute the offboarding script, you'd have to do it manually for each computer.
@Gleb Greenspan 's suggestion sounds like a good starting point to prevent any more onboarding of computers that don't belong to the organization using AAD.
What we plan to do next is as follow:
The responds I received from the Support team are written below.
- Can we perform Offboarding for computers who are not in the domain, and we have no access to?
For security purposes, the device will remain in the portal as an historical record for up to 180 days. However, the device's data will be purged according to your configured retention period.
For security purposes, the device will remain in the portal as an historical record for up to 180 days. However, the device's data will be purged according to your configured retention period.
I.e. The machines will “disappear” from the portal once the machines becomes inactive (they stop sending cyber data and the Sensor health state is 'inactive'), and no later than 180 days since since they stopped sending data to cloud.
- Can we lower the retention period for purging purposes?
No, this is hard-coded in the backend by design, and no way to reconfigure it.
- There is an azure policy called MDE.window/MDE.linux that ran automatically on computers where Defender for servers was activated. What steps do I need to make to offboard the computers?
Steps to removing the extension are documented in this article.
-How can an end user check if the computer has defender for endpoint?
To quickly check if the machine is onboarded check "Windows Defender Advanced Threat Protection Service" under services and also Task Manager > Details > "MsSense.exe". Notice the service's status will remain as stopped.
- Can I reset the whole MDE?
It is only possible with a new Organization ID. Otherwise you can just onboard new devices to the MDE portal.
I hope this answer is comprehensive and provide you with needed information. Thank you for who assisted!
If you can Live Response into the machine you can run the offboarding script from there. Since the Offboarding script is a cmd file, you will need to upload the cmd file and create/upload a ps1 file that calls the cmd file. I tested this from my lab to my home PC. It worked great.
Hello, this is in fact an idea I had, and also tried to execute. Sadly, it didn't work. Can you kindly expend on what you did? Thank you for the great suggestion!